excluding unlink to a particular file in audit.rules

[dagummit]

Hello.

I am running RHEL 5.4 Server (32-bit) and have my audit.rules file set up per a template that I am required to use. There is one particular rule that audit is auditing the unlink of files. With this set, my log files are filling up very fast, as there is a particular app that constantly touches/ deletes a couple of files, which the unlink is catching. Here is the audit rule:

-a always,exit -F arch=b32 -S unlink -S unlinkat -S rename -S renameat -F auid>=500 -F auid!=4294967295 -k delete

I commented out the "-S unlink" and my logging returns to normal (as expected). For right now, I was wondering if there was a way to set this rule up to exclude these couple of files from what auditd is capturing?

Thanks.

[s1sw]

no ideas on how to exclude these 2 files... ever found a solution?

My best guess would be to add a cron job that with a regular expression to delete rows with the 2 files' names in so that logs would grow only until the next cron job start, say every 10 minutes so logs would not be too large making the job last ages...

Definitely not elegant, I know but you would have your logs of unlinked files, not flooded with those 2 recurring files..

ciao!